Healthcare Information Security

HIPAA and Compliance News

Best Practices for Creating a Strong Patient Portal

By Elizabeth Snell

As patient-centric models become the norm, tools like patient portals are increasing in popularity.

- With technology continuously evolving, it has never been more critical for healthcare organizations to remain aware of the privacy and security risks in terms of patient data access management. Moreover, facilities are transitioning to value-based, patient-centric, integrated care models.

As patient-centric models become the norm, tools like patient portals are increasing in popularity. Individuals can not only access their protected health information (PHI) and health records, but also communicate with their personal care provider (PCP). This is also a current requirement of Stage 2 Meaningful Use. Specifically, more than 50 percent of all patients seen during the EHR reporting period need to be given online access to their health information, while more than 5 percent of all patients seen during the EHR reporting period need to be able to view, download, or transmit their health information to a third party.

It’s critical for healthcare providers to take control of that data, ensuring that they’re managing security and privacy risk, as well as managing clinical and financial risk. But how can organizations find the right balance between giving patients data access, and also keeping that health data secure?

Create a secure portal

This might sound simple, but healthcare organizations cannot overlook instilling basic security measures. For example, numerous authentication levels can help ensure that cyber criminals cannot easily access a patient’s PHI through a patient portal. Pin authentication, multi-factor authentication – rotating tokens, SMS codes, “dongles” – and encouraging patients to use strong and unique passwords can all go a long way in establishing a secure log-in process.

READ MORE: MDLive Lawsuit Claims Patient Data Privacy Violations

Penetration testing can also help provide security.  For example, a provider could determine if after displaying one patient’s record, a different record can appear just by editing the URL in the browser.

Healthcare organizations would also be well-advised to explain to patients that they should be smart about their use of the portals, and discourage the sharing of user names or passwords.

Overall, patient risk factors such as password strength, multifactor authentication and password reset policies need to be accounted for. A healthcare organization’s internal server must also remain secure because a breach may affect any patients who use the portal.

Work with the patients

A secure patient portal should enhance the care experience for a patient, while reassuring customers that their PHI will remain private and secure.  Providers should familiarize themselves with the security surround their patient portal so they can help convince patients to engage. This will also give providers the opportunity to endorse the patient portal for patients who are unsure of its safety. Establishing trust in the online ecosystem is just as critical as establishing that trust in person.

Another key aspect to keep in mind though is that providers are not required to obtain consent from their patients to implement a patient portal. HIPAA permits the disclosure of health information to the patient without requiring the patient’s express consent. However, a patient portal is a good way for patients to access their own information and become active participants in their care.

Work with the vendors

When healthcare providers implement a portal, it is critical to work with the chosen vendor to ensure that privacy and security safeguards are put in place. Each facility is different, and it’s important to establish security measures that are appropriate for a provider’s size, location, type and current privacy and security safeguards.

Providers should also invest the proper time in training and preparation. Customization of the system will likely be needed, depending on how the practice functions and what the individual work styles of the various providers are and how they interact. Until a vendor fully understands what a healthcare provider needs and wants from a patient portal, it will be difficult to create the right tool.

Creating solid ground for the portal

Before launching a patient portal, the entire healthcare team must be ready to support it and to ensure that it is working as expected. But there are likely going to be bumps along the way and all parties involved are going to need to assist in working through them. The provider will only be able to move ahead with certain aspects of patient engagement as quickly as the system is upgraded.

Any security issues should be reported immediately in order to rectify the situation quickly and mitigate future problems. It’s very important that providers with population health strategies review their security risks early and ensure that data control is a fundamental part of their strategy before trouble occurs.

Finally, a proactive incident recognition and response program will also help in creating a ecure portal. Significant damage to a provider’s reputation can occur when a security breach is not handled in a timely fashion. An important aspect of good incident response is proactively monitoring the portal for suspicious events, service interruptions, code errors, and general utilization issues. It’s essential to have timely responses that analyze initial causes, correct deficiencies and communicate with the patient population.



SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...